Separate area view discovery list for increased precision

Author: joefarebrother

csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSFlowSteps.qll

@@ -68,6 +68,9 @@ private class ViewCall extends MethodCall {
       result = attr.getArgument(0).(StringLiteral).getValue()
     )
   }
+
+  /** `result` is `true` if this cal is from a controller that is an an Area, `false` otherwise. */
+  boolean hasArea() { if exists(this.getAreaName()) then result = true else result = false }
 }
 
 /** A compiler-generated Razor page. */
@@ -119,38 +122,43 @@ private predicate viewCallRefersToPageRelative(ViewCall vc, RazorPage rp) {
 }
 
 /** Gets the `i`th template for view discovery. */
-private string getViewSearchTemplate(int i) {
-  i = 0 and result = "/Areas/{2}/Views/{1}/{0}.cshtml"
+private string getViewSearchTemplate(int i, boolean isArea) {
+  i = 0 and result = "/Areas/{2}/Views/{1}/{0}.cshtml" and isArea = true
+  or
+  i = 1 and result = "/Areas/{2}/Views/Shared/{0}.cshtml" and isArea = true
   or
-  i = 1 and result = "/Areas/{2}/Views/Shared/{0}.cshtml"
+  i = 2 and result = "/Views/{1}/{0}.cshtml" and isArea = false
   or
-  i = 2 and result = "/Views/{1}/{0}.cshtml"
+  i = 3 and result = "/Views/Shared/{0}.cshtml" and isArea = [true, false]
   or
-  i = 3 and result = "/Views/Shared/{0}.cshtml"
+  i = 4 and result = "/Pages/Shared/{0}.cshtml" and isArea = true
   or
-  i = 4 and result = getAViewSearchTemplateInCode()
+  i = 5 and result = getAViewSearchTemplateInCode(isArea)
 }
 
 /** Gets an additional template used for view discovery defined in code. */
-private string getAViewSearchTemplateInCode() {
+private string getAViewSearchTemplateInCode(boolean isArea) {
   exists(StringLiteral str, MethodCall addCall |
     addCall.getTarget().hasName("Add") and
     DataFlow::localExprFlow(str, addCall.getArgument(0)) and
-    addCall.getQualifier() = getAViewLocationList() and
+    addCall.getQualifier() = getAViewLocationList(isArea) and
     result = str.getValue()
   )
 }
 
 /** Gets a list expression containing view search locations */
-private Expr getAViewLocationList() {
-  result
-      .(PropertyRead)
-      .getProperty()
-      .hasQualifiedName("Microsoft.AspNetCore.Mvc.Razor", "RazorViewEngineOptions",
-        [
-          "ViewLocationFormats", "AreaViewLocationFormats",
-          //"PageViewLocationFormats","AreaPageViewLocationFormats"
-        ])
+private Expr getAViewLocationList(boolean isArea) {
+  exists(string name |
+    result
+        .(PropertyRead)
+        .getProperty()
+        .hasQualifiedName("Microsoft.AspNetCore.Mvc.Razor", "RazorViewEngineOptions", name)
+  |
+    name = "ViewLocationFormats" and isArea = false
+    or
+    name = "AreaViewLocationFormats" and isArea = true
+    // PageViewLocationFormats and AreaPageViewLocationFormats are used for calls within a page rather than a controller
+  )
 }
 
 /** A filepath that should be searched for a View call. */
@@ -160,7 +168,7 @@ private class RelativeViewCallFilepath extends NormalizableFilepath {
 
   RelativeViewCallFilepath() {
     exists(string template, string sub2, string sub1, string sub0 |
-      template = getViewSearchTemplate(idx_)
+      template = getViewSearchTemplate(idx_, vc_.hasArea())
     |
       (
         if template.matches("%{2}%")

csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Controllers/TestController.cs

@@ -101,6 +101,7 @@ public class Test3Controller : Controller {
     public void Setup(RazorViewEngineOptions o) {
         o.ViewLocationFormats.Add("/Views/Custom/{1}/{0}.cshtml");
         o.ViewLocationFormats.Add("~/Views/Custom2/{0}.cshtml");
+        o.AreaViewLocationFormats.Add("/MyAreas/{2}/{1}/{0}.cshtml");
     }
 
     public IActionResult Test15(UserData tainted15) {
@@ -132,7 +133,17 @@ public IActionResult test19(UserData tainted19) {
     }
 
     public IActionResult test20(UserData tainted20) {
-        // SPURIOUS: Expected to find nothing (and NOT /Views/Test4/Test20.cshtml).
+        // Expected to find nothing (and NOT /Views/Test4/Test20.cshtml).
         return View("Test20", tainted20);
     }
+
+    public IActionResult test21(UserData tainted21) {
+        // Expected to find file /Pages/Shared/Test21.cshtml
+        return View("Test21", tainted21);
+    }
+
+    public IActionResult test22(UserData tainted22) {
+        // Expected to find file /MyAreas/TestArea/Test4/Test22.cshtml
+        return View("Test22", tainted22);
+    }
 }

csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/MyAreas_Test4_Test22.cshtml.g.cs

@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.MyAreas_Test4_Test22), @"mvc.1.0.view", @"/MyAreas/Test4/Test22.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/MyAreas/Test4/Test22.cshtml")]
+    public class MyAreas_Test4_Test22 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "MyAreas/Test4/Test22.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "MyAreas/Test4/Test22.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "MyAreas/Test4/Test22.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591

csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Pages_Shared_Test21.cshtml.g.cs

@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Pages_Shared_Test21), @"mvc.1.0.view", @"/Pages/Shared/Test21.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Pages/Shared/Test21.cshtml")]
+    public class Pages_Shared_Test21 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Pages/Shared/Test21.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Pages/Shared/Test21.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Pages/Shared/Test21.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591

csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/MyAreas/Test4/Test22.cshtml

@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}

csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Pages/Shared/Test21.cshtml

@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}